The EU GDPR raises the bar for data security, privacy and protection

May 25, 2018 is the official day where the European Union General Data Protection Regulation (GDPR) goes into effect. GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens. Businesses don’t understand that not adhering to this compliance could cost them dearly and yet most aren’t ready.

The cost of non-compliance

In fact, TechRepublic, known for advising on best practices and tools, reports that sixty percent of businesses are likely to miss the GDPR compliance deadline. One of the biggest contributing hurdles is not having enough knowledge staff to implement changes.

Considering how severe the fines and penalties could be for noncompliant companies in the event of a security breach, no excuse will be good enough when it will cost the company millions for not having safeguarded their online business. Unfortunately, it comes down to the fact that many ecommerce merchants just do not understand what compliance with the GDPR really means.

GDPR takes a broad view of what comprises personal identification information. Merchants and PSPs have not yet come to understand that they will need the same level of protection for areas encompassing individual IP addresses or cookies data as they do for the traditional name, address and personal or national identification number. GDPR is indeed setting the standard for consumer rights regarding their data, something all online merchants and ecommerce businesses need to know. Security teams will be challenged as they put systems and processes in place to comply.

Non-compliance just won’t cut it in this case. Research and many reports are predicting that most businesses that pull in personal data from customers, clients, and vendors are going to experience a security breach where that data is exposed, compromised or stolen at some time or another.

While GDPR compliance doesn’t mean businesses have to fix all unknown security vulnerabilities or eliminate any chance of a security incident, it does necessitate businesses show they’ve taken all of the appropriate steps to mitigate risk and security breach damage to EU citizens.

A plan of action

This is why it has become critical for all ecommerce businesses to have documented steps to show they’ve closed the loop on potential security vulnerabilities. By having a documented plan of action and showing changes have been made to safeguard high-risk areas is going to be key in achieving GDPR compliance. It certainly is a business’ best bet to avoid costly fines and penalties if a breach were ever to occur.

In the commencement of putting together a roadmap, it should first start with educating the relevant teams about GDPR. It is also important to document the categories of personal data they collect and process. Every ecommerce business should know what, why, how and by whom data is being collected.

To make a data assessment satisfy GDPR requirements, conducting an information audit is beneficial. Also key is to have a comprehensive GDPR compliance policy in place; one that defines the procedures, delivers protocols limiting access to personal data, sets consent standards, as well as provides practical procedures to identify the data subjects right to access and, if requested, delete their personal data. It can be quite complex, dealing with intrusion policies including intrusion detection, data classification, privacy protection, password management, audits, reporting and encryption among others.

Data subjects

GDPR backs the need for clear and lawful consent from the data subjects themselves to use personal data. Ultimately all ecommerce businesses that collect and process data should review their current consent requests to ensure all essential adjustments are made for adhering to GDPR compliance.

GDPR policies and procedures help to ensure data security. Specific provisions state that data subjects must be granted access to their own data. They can check it for accuracy, assess what their data has been used for, and track how it has been processed. Data subjects have the ultimate power over their own personal data such as, for example, being able to request an electronic copy to be transferred to another organization or request to have it deleted, which must be done in a timely manner.

Data privacy by design and Data Protection Impact Assessments

The concept of ‘Privacy by Design’ is an important one. Businesses that utilise any personal data need to now design products, services, and public-facing communication infrastructures with privacy in mind from the onset of the development process. Data privacy needs to be accounted for in every project. Data protection impact assessments should be integrated and documented at the beginning of every project to achieve data privacy by design. There is a need for procedures to be in place to ensure these steps are taken in all development processes.

Data protection impact assessments are performed for any new formats or changes to processing that represent any levels of risk to the privacy and protection of personal data. In conducting an assessment of current processes, it is important to evaluate any previous process changes or new process implementations for data privacy vulnerabilities and protection concerns. Again documentation with GDPR is always of the utmost importance especially in the event of an audit.

Security breaches

Just like in crisis management, the same goes for privacy management. There needs to be a comprehensive plan in place, ready in the event of any personal data being exposed, compromised, or stolen due to a security breach. By implementing intrusion detection and an incident response policy, it helps with mitigating any damage caused by a breach.

Always have a well-documented and functioning procedure for notifying data subjects of any breach that has occurred. The notification should share the information about the compromised data, when it occurred, that status of security vulnerability, and, lastly, provide any information on how data subjects can retrieve more information about the breach.

The GDPR refers to the designation of a Data Protection Officer (DPO). Many businesses are bringing on a DPO because such an officer is instrumental in ensuring data protection policies and procedures are implemented and followed in addition to giving regulators a knowledgeable point of contact. The DPO would typically be the one to communicate with authorities investigating security incidents.

Increased partner responsibility

Make sure you analyse third-party risks and pick your partners carefully. With GDPR, businesses can be held liable for security breaches due to compromised personal data that is either controlled or processed by third parties. In light of this, it is critical to conduct a thorough evaluation of not only your data protection policies and procedures but those of your third-party contractors and/or suppliers.

The final outcome

No security procedure is flawless as seen by the growing amount of data breaches that increase yearly. However, documented proof that data protection and privacy policies, protocols, and procedures are in place provide a great advantage in keeping away fines, penalties and a bad reputation due to a security breach.

About Rachel Gauci

Rachel provides legal advice on issues concerning merchants and payment services, licensing requirements, contract negotiations, as well as legal advice concerning core regulatory issues. Connect with her via LinkedIn.

About Credorax

In 2007, Credorax saw an opportunity to change the landscape of traditional merchant acquiring by using its technology assets to address the needs of online merchants of all sizes. This led the company to evolve into a Merchant Acquiring Bank specializing in cross-border ecommerce, with more than 200 employees globally and operations spread across Europe, the US, UK, Malta, and Israel.